[apparmor] 2.5.1 build failure on Arch
andrew thomas
atswartz at gmail.com
Tue Oct 19 21:24:50 BST 2010
On 10/19/2010 12:31 PM, John Johansen wrote:
> On 10/19/2010 09:50 AM, andrew thomas wrote:
>
>> On 10/18/2010 11:49 AM, John Johansen wrote:
>>
>>> On 10/15/2010 09:48 PM, andrew thomas wrote:
>>>
>>>> I am trying to build 2.5.1 on Arch Linux and am getting an error similar to this build:
>>>>
>>>> http://launchpadlibrarian.net/57686487/buildlog_ubuntu-natty-amd64.apparmor_2.5.1-0ubuntu1_FAILEDTOBUILD.txt.gz
>>>>
>>>> It gets through autogen, configure, and make in libapparmor.
>>>>
>>>> Then make in utils, but fails make in parser.
>>>>
>>>> Here is the tail end from
>>>>
>>>> $ cd parser&& /usr/bin/make
>>>>
>>>> http://pastebin.ubuntu.com/514290/
>>>>
>>>> The error message does state that: Kernel needs AppArmor 2.4 compatibility patch.
>>>>
>>>> But, I believe that I applied the proper patches to the kernel.
>>>>
>>>> Any ideas?
>>>>
>>>>
>>> Hey Andrew it actually built but is failing during the caching function tests. These are run against the current kernel, and it isn't finding the AppArmor 2.4 interface.
>>>
>>> You can test for your self by looking for the file /sys/kernel/security/apparmor/profiles if it doesn't exist you don't have the AppArmor 2.4 compatibility patch on your kernel.
>>>
>>> The patch isn't actually necessary but several things will not work if it is not present. The parser won't do compiled policy caching, the init scripts won't work, and aa-status and a few other commands won't work either.
>>> Basically anything that requires introspection of the load policy or supported kernel features doesn't work correctly. Every thing else should.
>>>
>>> If you are building 2.5.1 on a buildd with a kernel that doesn't support the AppArmor 2.4 interface, then I suggest you disable the test in the Makefile with a small patch.
>>>
>>>
>>>
>> I did look in /sys/kernel/security and it is empty.
>>
> This says to me that the LSM is probably not configured correctly.
>
>
>> When I compiled the kernel, I applied these two patches ( http://pastebin.ubuntu.com/515768/& http://pastebin.ubuntu.com/515769/ ) that originally were ubuntu-maverick.git-0d8f737f1c8ad8415b3d5589caf63dee3c1b3d6f.patch& ubuntu-maverick.git-8cb3e0f8ad669be1e2027cbafb58fa7cd1928f76.patch which I modified so they also created security/apparmor/include/net.h& security/apparmor/net.c and would apply cleanly. When I use this on natty to compile the kernel, apparmor (2.5.1~rc1) works as expected, but when I compile on ArchLinux, using the natty-git source, /sys/kernel/security is empty. Any clues to what I am doing wrong? Trying to get apparmor to work on arch may be beyond my abilities, I am sorry if I am wasting your time.
>>
>>
> What config options do you have set under security? These will affect whether AppArmor is compiled and whether it is the default LSM. Since there can only be a single lsm active at a time another LSM can block apparmor.
>
> specifically you need
> SECURITY_APPARMOR=y
>
> in make menuconfig this will look like
> y AppArmor
>
>
> You probably want to set
> SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>
> in menuconfig it is "AppArmor boot parameter default value"
>
> this tells the apparmor module to register it self by default at boot, if it is 0 you must specify apparmor=1 on the kernel command line for apparmor to take effect even if apparmor is set as the default security module.
>
>
> The other config options that can affect apparmor are
> SECURITY=y menuconfig "y Enable different security models"
> SECURITYFS=y menuconfig "y Enable the securityfs filesystem"
> SECURITY_NETWORK=y menuconfig "y Socket and Networking Security Hooks"
> SECURITY_PATH=y menuconfig "y Security hooks for pathname based access control"
>
> DEFAULT_SECURITY=apparmor menuconfig "Default security module"
> this one is not required and can be overriden on the kernel command line,
> so if apparmor is not the default lsm you would use
>
> security=apparmor
>
>
> If this doesn't work, can you attach your config and point me at a tree so
> I can build and test the kernel, and figure out what is wrong
>
> cheers
> john
>
Thanks for your reply John,
The weird thing is that I am using the same .config file to build my
kernels on ubuntu, debian & arch and apparmor works just fine on the
first two. Here is the security section.
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_COMPAT_24=y
# CONFIG_SECURITY_YAMA is not set
# CONFIG_IMA is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_CRYPTO=y
I am getting the source from
git://kernel.ubuntu.com/ubuntu/ubuntu-natty.git and
patch -p1 -R < ../apparmorB.patch
patch -p1 -R < ../apparmorA.patch
git fetch
git reset --hard origin/master
patch -p1 < ../apparmorA.patch
patch -p1 < ../apparmorB.patch
removing and reapplying the patches when I update because they rebase
against Linus' tree. The two patches are the patches that I posted on
pastebin in my last post. What could be different about Arch that would
make the kernels not work right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/apparmor/attachments/20101019/884ce712/attachment-0001.htm
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config.saved.x86_64
Url: https://lists.ubuntu.com/archives/apparmor/attachments/20101019/884ce712/attachment-0001.txt
More information about the AppArmor
mailing list